Opened 6 years ago
Closed 4 years ago
#2143 closed enhancement (fixed)
Centralize certbot for SSL cert handling.
| Reported by: | TemptorSent | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | SysAdmin | Keywords: | SSL certbot |
| Cc: |
Description
To reduce the number of certbot installations that must be configured and maintained individually, I propose moving certbot operations to a single primary location ('secure' VM would be a good option IMHO) and forwarding verification requests from each host using http redirects or proxying, and pushing out new keys to each host via ssh. See https://nekudo.com/blog/letsencrypt-in-a-multiserver-environment for a similar configuration.
In this configuration, I believe certbot can run in standalone mode with no webserver required.
Each host only needs to provide a redirect or proxy entry to the certbot host, rather than installing dependencies for certbot on every host.
Certs would be maintained for all domains in a single secure location, reducing the chance of missing renewals and simplifying administration.
Backups would be simplified and the entire certbot configuration can be easily copied to another host if needed.
Keys can be distributed to individual hosts using SCP automated with a simple script after each certbot renewal runs.
Change History (2)
comment:1 by , 5 years ago
comment:2 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I'm going to close this out as all the old servers except for osgeo6 are using nginx proxy now which handles the certs.
Note that for the osgeo7 containers, the nginx container acts as the proxy so handles all the certs - now for nextcloud, bottle.download.osgeo.org and in future download.osgeo.org and others